Re: ACTION-255: Work on financial reporting text as alternative to legal requirements

On Monday 01 October 2012 19:49:37 Alan Chapell wrote:
> The only thing you and I agree upon here is that you can't provide
> the smoking gun. (:

... which is a personal limitation, not an absolute one. We can go 
ask the DPAs and people who are closer to the day by day cases to 
provide us with some really creepy stories. But I think sometimes 
misunderstandings are considered a feature.
More belowŠ
> >Oh, Airline XYZ can only do so because they have bought the
> >profile that tells them I can afford the higher price... - just
> >as an example - That we do not address first parties is
> >irrelevant for the EU and a sign of careful nudging of the US
> >community.
> In my experience, it would be unlikely (at best) that airline
> would operate in the way that you're suggesting. We need
> to distinguish what is POSSIBLE in theory from what is PRACTICAL.

The question is not about what you guess the airline would do (it 
was a broker). The point is that they collected data for the purpose 
stateful service and used it for price discrimination. This is a 
consumer protection issue. This is my point, not more. If you 
collect data to determine that somebody is from the UK, you may well 
give them a different price. Or you may exclude Germans from Youtube 
because of licensing battles between GEMA and Google. And as soon as 
there is an issue, people will route around. If the incentive is 
strong enough, the masses will move. Look at the download statistics 
of adblock plus. If you're not seen to honor privacy choices (and 
continue to do business, thus my call for innovation), the consumers 
will IMHO react with data blocking. I can show you the tools. This 
is very easy and effective. You prefer that? At some point in time, 
the arms race will hit the limit of the legislation around hacking 
(the consumer's computers)

> So if this is your example of harm, you may want to keep looking 

The harm is the undue price discrimination because of superior 
knowledge that has its roots in the data collection. Again, I don't 
know what harm you're looking for. Your exemption is not "use IP 
addresses to show PCMCP that the user that got the ad is from the 
UK". Your exemption is: "Whatever code of conduct fits me best will 
trump the user's stated preference". 

This allows to continue to build profiles despite the DNT:1 header 
being present. With a good profile you can predict people and 
manipulate them. This is why targeted advertisement is so much more 
effective and expensive. There are a gazillion other examples. Even 
a constitutional court said some 28 years ago that the creepiness 
created by those profiles has a harming dimension that justifies 
societal intervention. So it is not just me and my imagination.

And you come here, take one of my funny examples and declare: "There 
is no harm!". While it is right to question limitations, it is also 
right to question data collection. While my example may be a bit 
thin (I shouldn't have provided one, just point you to a large 
collection, Ninja's office has one) its thinness can't be taken as 
an argument to question the collection limitation principle in 
general as introduced by the OECD in 1981. 

> >> >2/ Democratic values
> >[...]
> If you put the third party intermediaries out of business - by
> definition the marketplace will be smaller.

If the only option for SMEs to survive would be unlimited data 
collection for financial reporting, this would be a sinister 
outlook, indeed. 

> >Because there is a fundamental transatlantic divide. We have that
> >even internally. While the eastern part believes that the
> >availability of organized personal data is very prone to abuse,
> >the western part believes that it is all about use limitations.
> >Give the data to the junkie but say: "do not use!". Some
> >believe, some don't. Note that those legitimate exceptions are
> >law in EU. Self regulation has to re-invent those. For the
> >unregulated, this is a test whether we can find a reasonable
> >compromise without the formal democratic process.
> I have no idea what you mean here 

Normal, you are part of the divided landscape and you haven't tried 
looking beyond your own side of things. This is all about collection 
limitations and quick transformations of personal data collected to 
remove the personal context. Mainly, large collections of personal 
data are seen as an intrinsic danger. 

> But while we're on the subject
> of providing arguments for your assertions, I'd invite you to
> provide a specific argument of harm that addresses the request
> for exemptions. If the is the best you can do, well...

Google for Censilia and Zensursula. You'll find a filtering system 
for control of information streams with large scope creep (also 
active in the US and Canada I think). I said already 2 times: 
Governments and others would love to have national Internets they 
can control. The more you collect data, the more you can control 
people. You say: But I promise not to control people with that data. 
Others may say, avoid the collection in the first place, especially 
if the users has asked you not to collect. In Egypt, they found ways 
around very quickly. You haven't answered that argument yet.

The problem with your exemption is that it can be believed to be the 
portal for collection scope creep even under DNT:1. The more I see 
the intensity of the fight, the more I'm inclined to believe in the 
scope creep here. How can it be avoided that you create the 
contractual obligations that allows you to collect data under 
exemptions as before regardless of the DNT header?
> >I see the polls that indicate that over 56% of Europeans erase
> >_all_ their cookies at least once a month. 25% weekly (from the
> >top of my head, search for eurobarometer).
> >
> >2002, the industry thought: "danger banned, no privacy provisions
> >in the US, move on". And the browsers thought: "we manage
> >cookies by blocking tools". Ten years after, we are back to the
> >core semantic problem: "Can I trust your assertions?". What does
> >that tell me? Everybody has to optimize in some direction.
> >That's what this effort is all about. I have to optimize in the
> >direction of excellence... And putting in question the bases of
> >the effort for financial reporting is against my optimization
> >target. And there, your wording was much better (and stronger)
> >than mine.
> Thank you. Its interesting that you reference P3P. Do you believe
> that P3P was a success?

It was a huge success for the industry to avoid legislation in the 
US. It was a huge browser-failure. And it was a respectable 
scientific success as all newer policy and data handling research is 
still very often based on the P3P statement vocabulary. I don't 
think all browsers will repeat the same mistakes. IMHO, the changes 
without DNT would change your business more than I ever could with 
my emails and discussion. I'm trying to find a middle ground and new 
ways to allow for the same business with less data to avoid that 
bump. I try to help. If this leads into the trenches, it is 


Received on Tuesday, 2 October 2012 07:55:13 UTC